Up Again Romania: Privacy and Data

Intellectual Property and Technology

1. Can an employer carry out temperature monitoring and other health checks on employees and visitors prior to them entering work premises?

An employer must carry out temperature checks on employees and visitors before they enter the premises.

According to Decree no. 394/2020 on the approval of the institution of the state of alert at a national level and on the applicable measures for the prevention and the control of the effects of the COVID-19 pandemic (Decree 394), public institutions and authorities, economic operators and professionals have the obligation to conduct their activities in a manner that ensures, at the entrance into the premises, the epidemiological screening and the mandatory disinfection of hands for both employees and visitors.

According to Order no. 831/2020 on the measures for the prevention of the contamination with the new coronavirus and on the assurance of the performance of the activities at the workplace in conditions of security and health during the state of alert (Order 831), all public sector and private sector employers must:

  • appoint a person responsible for checking the temperature of all people entering the premises/institution; and
  • ensure the temperature of the employees is checked at the start of working hours and whenever necessary during working hours.

Order 831 provides for a connected obligation on public sector and private sector employees, in the sense that employees are obliged to accept the temperature checks when entering the premises, at the beginning of working hours and whenever returning to the premises.

In addition, the joint Order no. 874/81/2020 issued by the Minister of Internal Affairs and the Minister of Health (Order 874) regulates how such temperature checks are performed.

Temperature measurement must be performed with a non-contact thermometer for both employees and visitors. The temperature must not be higher than 37.3°C to be able to enter the premises and, if the measured temperature is above this limit, there is a procedure to be followed.

Order 874 provides that epidemiological triage does not involve the recording of personal data.

2. Can an employer ask employees and visitors to complete a questionnaire on whether they are experiencing typical COVID-19 symptoms, have been in contact with an infected individual, or recently travelled to high risk countries?

As specified above, Decree 394, Order no. 831 and Order 874 provide for an employer to perform the epidemiological triage, carrying out temperature checks and also observing other respiratory symptoms, on employees and visitors, before they enter the premises. However, further health checks or the completion of specific questionnaires are not expressly included in the epidemiological triage regulated by Order 874.

The Romanian Data Protection Authority has not yet issued a communication or guideline expressly addressing this subject.

3. Can an employer require their employees to notify them if they or a member of their household has contracted COVID-19, or that they have the antigen?

Employees are obliged to notify their employer if they have contracted COVID-19. However, there are no express legal provisions or guidelines regulating the possibility of the employer requiring the employee to notify it if a member of the employee’s household has contracted COVID-19 or has the antigen.

Order 831 obliges public sector and private sector employees to:

  • immediately notify the employer if at the beginning of the working hours, or during working hours, the employee shows specific COVID-19 symptoms; and
  • stay at home and notify the employer before the beginning of working hours if the employee shows specific COVID-19 symptoms.

The Romanian Data Protection Authority has not yet issued a communication or guideline expressly addressing this subject.

4. Can an employer tell their employees that a colleague may have potentially contracted COVID-19?

Order 831 sets out an obligation to inform the people that came into contact (for more than 20 minutes, at a distance of under 1.5 m and without a mask) with an employee or other person suspected of having contracted COVID-19 or confirmed as having COVID-19.

However, it is unclear who bears this obligation (e.g. the employer or perhaps medical personnel). Considering the wording, arguably, it is the employer’s.

Besides emphasising that the disclosure of a natural person’s name and state of health in the public space can be made only with the consent of the person concerned, the Romanian Data Protection Authority has not issued a communication or guideline expressly addressing this subject.

5. Can an employer share information with a health authority about COVID-19 cases they become aware of?

It is unclear whether an employer can share information with a health authority about cases of people having contracted coronavirus.

In accordance with Order 874, when performing the epidemiological triage, if the measured temperature remains above 37.3°C or the presence of other respiratory symptoms is observed, the employee must be sent for a consultation with their family doctor.

If the employee falls within the definition of a case suspected of COVID-19, the family doctor will recommend testing. However, it is unclear whether the employer should inform the medical centre before sending the employee to the medical centre.

The Romanian Data Protection Authority has not yet issued a communication or guideline expressly addressing this subject.

6. Can an employer send employees’ health data to one of their affiliates outside the EEA or otherwise in another jurisdiction?

Health data can be transferred by an employer to one of their affiliates outside the EEA if the provisions of GDPR on the transfer of personal data are complied with (including the obligations related to the information of the employees).

7. Can an employer monitor how employees move around the workplace to help keep social distancing rules?

Decree 394 and Order 831 do not provide for any express rights or obligations for employers in this respect.

The Romanian Data Protection Authority has not yet issued a communication or guideline expressly addressing this subject.

8. Does an employer need to comply with any other GDPR principles or local privacy laws, when collecting data for the purpose of tackling COVID-19?

As stated by the European Data Protection Board, the data controller must ensure the protection of the personal data of  subjects in relation to measures taken to tackle COVID-19. This essentially means an employer must still comply with all relevant GDPR principles and any local data protection rules.

Employers intending to process health data of staff or visitors should take the following measures as a minimum to help minimize data protection risks:

  • Be transparent: inform employees and visitors about the intended measures you plan to take, what data you will collect from them, for what purposes you will use it, how long you will keep it, and who you will share it with. Information should be provided in relation to the contact person in charge of handling any data subject requests you may receive as a result of the measures you have taken.
  • Ensure any information processed as a result of testing is kept secure and confidential.
  • Limit the nature and volume of personal data processed to that which is absolutely necessary and proportionate - the data minimisation principle requires you to collect data that is relevant for and limited to the aim pursued.
  • Only retain information for as long as necessary and ensure that personal data processed remains accurate.
  • Carry out a data protection impact assessment to record the risks and mitigation steps taken before carrying out any testing.
  • Only use the information for health and safety management during the current coronavirus emergency situation.
  • Update your records of processing activities: many companies that keep such records will need to add new data processing activities if they perform processing activities relating to fighting COVID-19.

9. What are the risks if I am in breach of the GDPR or local privacy laws?

In the event of breach of GDPR, the Romanian Data Protection Authority can:

  • issue administrative fines of up to EUR 20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher; and
  • implement a range of other measures, including:
    • issuing warnings and reprimands, imposing a temporary or permanent ban on data processing;
    • ordering the rectification, restriction or erasure of data; or
    • suspending data transfers to third countries.

Individuals may also claim for compensation for breaches of GDPR.